eb77e2f74a
* First pass of tabs-based organization * Improvements * Second pass at tabs org * Move tab highlighting to Liquid instead of JS * Adding forwarding links for in-product TOCs * Move to pre-rendered left-navs instead of post-load JS for TOC sync * Optimizations and nosync-ing the Reference section * Optimizations, fix Cloud YAML * Make a "Sample applications" node * Update index.md * Tabs CSS fixes and 12-factor reposition * Theme Start (#1709) * Hooking up nav to real TOC data, formatting fixes * Fixing JS error * Layout updates, dark themes, tons o stuff (#1971) * Add cookie saving for day/night mode * Newsite tabs (#2004) * Layout updates, dark themes, tons o stuff * Update themes Theme updates + scaffolding * Update style.css * Update style-alt.css * Missing font fixes * Import Open Sans from Google * Font fix, archive removal in TOC, favicon, Feedback img fix * Oops, returning -webkit-font-smoothing: antialiased; * Add old favicon.ico * Make archives a non-tiered link * Reorder docs archive to newest-first, add local instructions * Commenting out day/night switch for now * Fix 'rate this page' * Rate this page fixes * Autocomplete and Docker Cloud fixes * Open tree to current page * Adding indentation for nav collapse in * Ensure left nav visibly displays the current topic * Update flex layout - adjust rescale - code block styles * add focus to search - force code block color (for now) - increase section max-width * increase content padding - add padding to toc for wrapping long strings. * grid adjustment - grid - content and wrapper adjustments for mobile * left/right sidebar adjustments - refine position on scroll for toc on landing - add default height to compensate for upcoming position absolute onScroll * side bar overflow - hidden on X-scroll * fix version button - override bstrap defaults * tabs + buttons * update landing svgs * fix sidebar height set to 100% on landing pre-affix * Update blurb about engine/editions on front page * add side menu to mobile collapse menu * update classnames * overall mobile tweaks * Right-nav highlighting and auto-scroll * Slightly slower right-nav highlighting, correct version * add toggle menus for small devices * Fixing JS error/Docker 1.13>17.03 * header updates * re-add fan to header * update transition time * Add first 20 words to Twitter card * fixed width of components - lockdown elements on rescale (wil need more TLC) * set max-width of content * Left and right nav resizing w/footer scroll and window resize * update links on landing page * Fix for overzealous resizing, JS redundancies * Fix for JS error on homepage * JS error fixes * toggle adjustments - wrap toggle button * add tab width * version button type * version button both headers * tabs - fix typo * landing page grid * components * Share images, JS fixes, Marketo removal * Anchor links fix * Fix for black space on mobile * Restore hamburger (partial) * Update run.md Minor grammar cleanup. * Update apparmor.md I'm a little confused about which one is better to be used here, a period (.) or a colon (:), as a command is given below. Or both are OK, and we only have to keep consistency in a single page. * Update apparmor.md Fixed the indentation for the codeblock (indented by 4 spaces). Thank you for your careful review. * Replacing service with secret * Update networking.md fix typo with triple "m" for command word * Update run.md Address PR feedback. * Update install instructions to latest version * Added "related topics" section * Add documentation for mem_swappiness * Update to new Docker version scheme (#1926) * mem_swappiness for current version and v1 * merge other changes, fix typo * There is no OpenSuSE and there never was though we had SuSE and S.u.S.E. * Add release notes for 1.12.6-cs9 (#2028) Signed-off-by: Brian Goff <cpuguy83@gmail.com> * need sudo to access key cache (#1931) * need sudo to access key cache * List other keyservers to try for cs-engine install (#2033) * List other keyservers to try for cs-engine install Sometimes ha.pool.sks-keyservers.net goes down, so let's provide some other keyservers to try in such cases. Signed-off-by: Brian Goff <cpuguy83@gmail.com> * Update work_issue.md (#2030) Change "re-start" to "restart". Though not included in "Prefered usages" in the documentation guide, but I think "restart" is better and used more frequently. Besides, some other docs here, such as "Keep containers alive during daemon downtime" of "Admin Guide", also use "restart". * Update create_pr.md (#2015) * Update work_issue.md (#2013) Change "id" to "ID" except for those in code. * Update set_up_dev.md (#2011) Add periods (.) in some steps. * Update set_up_dev.md (#2010) Apply Oxford Comma as described in the documentation guide. * Update create_pr.md (#2014) Delete an extra space. * Update trust_key_mng.md (#1883) * Update trust_key_mng.md * Update trust_key_mng.md I don‘t know how the whitespace appears, and it seems that it appears because something happened related to its original format (right-aligned pipe characters) and my change. Still unknown. Now I've deleted some redundant whitespace. * Update I don‘t know how the whitespace appears, and it seems that it appears because something happened related to its original format (right-aligned pipe characters) and my change. Still unknown. Now I've deleted some redundant whitespace. * Update content_trust.md (#1912) * Update content_trust.md * update deprecation policy Signed-off-by: Victor Vieux <victorvieux@gmail.com> * Update info about how to check whether Docker is running * Updated docs to reflect edge channel Signed-off-by: French Ben <frenchben@docker.com> * Updated wording for SP creation Signed-off-by: French Ben <frenchben@docker.com> * beta to edge, cloud features first draft added cloud images Signed-off-by: Victoria Bialas <victoria.bialas@docker.com> * Distinguish between cloud stack file and stack file * Added EE links Signed-off-by: French Ben <frenchben@docker.com> * Use variables Signed-off-by: French Ben <frenchben@docker.com> * Replace deprecated MAINTAINER with LABEL (#1445) Replace MAINTAINER instruction with LABEL as MAINTAINER was deprecated in https://github.com/docker/docker/pull/25466 * Updates for Docker CE and Docker EE * Updated DDC launch button Signed-off-by: French Ben <frenchben@docker.com> * added Docker Cloud topics for Mac and Windows Signed-off-by: Victoria Bialas <victoria.bialas@docker.com> * d4mac, d4win stable and beta release notes for 17.03.0 Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
111 lines
3.8 KiB
Markdown
111 lines
3.8 KiB
Markdown
---
|
|
description: Deploying a Registry in an insecure fashion
|
|
keywords: registry, on-prem, images, tags, repository, distribution, insecure
|
|
title: Test an insecure registry
|
|
---
|
|
|
|
While it's highly recommended to secure your registry using a TLS certificate
|
|
issued by a known CA, you may alternatively decide to use self-signed
|
|
certificates, or even use your registry over plain http.
|
|
|
|
You have to understand the downsides in doing so, and the extra burden in
|
|
configuration.
|
|
|
|
## Deploying a plain HTTP registry
|
|
|
|
> **Warning**: it's not possible to use an insecure registry with basic authentication.
|
|
|
|
This basically tells Docker to entirely disregard security for your registry.
|
|
While this is relatively easy to configure the daemon in this way, it is
|
|
**very** insecure. It does expose your registry to trivial MITM. Only use this
|
|
solution for isolated testing or in a tightly controlled, air-gapped
|
|
environment.
|
|
|
|
1. Open the `/etc/default/docker` file or `/etc/sysconfig/docker` for editing.
|
|
|
|
Depending on your operating system, your Engine daemon start options.
|
|
|
|
2. Edit (or add) the `DOCKER_OPTS` line and add the `--insecure-registry` flag.
|
|
|
|
This flag takes the URL of your registry, for example.
|
|
|
|
`DOCKER_OPTS="--insecure-registry myregistrydomain.com:5000"`
|
|
|
|
3. Close and save the configuration file.
|
|
|
|
4. Restart your Docker daemon
|
|
|
|
The command you use to restart the daemon depends on your operating system.
|
|
For example, on Ubuntu, this is usually the `service docker stop` and `service
|
|
docker start` command.
|
|
|
|
5. Repeat this configuration on every Engine host that wants to access your registry.
|
|
|
|
|
|
## Using self-signed certificates
|
|
|
|
> **Warning**: using this along with basic authentication requires to **also** trust the certificate into the OS cert store for some versions of docker (see below)
|
|
|
|
This is more secure than the insecure registry solution. You must configure every docker daemon that wants to access your registry
|
|
|
|
1. Generate your own certificate:
|
|
|
|
mkdir -p certs && openssl req \
|
|
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
|
|
-x509 -days 365 -out certs/domain.crt
|
|
|
|
2. Be sure to use the name `myregistrydomain.com` as a CN.
|
|
|
|
3. Use the result to [start your registry with TLS enabled](./deploying.md#get-a-certificate)
|
|
|
|
4. Instruct every docker daemon to trust that certificate.
|
|
|
|
This is done by copying the `domain.crt` file to `/etc/docker/certs.d/myregistrydomain.com:5000/ca.crt`.
|
|
|
|
5. Don't forget to restart the Engine daemon.
|
|
|
|
## Troubleshooting insecure registry
|
|
|
|
This sections lists some common failures and how to recover from them.
|
|
|
|
### Failing...
|
|
|
|
Failing to configure the Engine daemon and trying to pull from a registry that is not using
|
|
TLS will results in the following message:
|
|
|
|
```none
|
|
FATA[0000] Error response from daemon: v1 ping attempt failed with error:
|
|
Get https://myregistrydomain.com:5000/v1/_ping: tls: oversized record received with length 20527.
|
|
If this private registry supports only HTTP or HTTPS with an unknown CA certificate,please add
|
|
`--insecure-registry myregistrydomain.com:5000` to the daemon's arguments.
|
|
In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag;
|
|
simply place the CA certificate at /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt
|
|
```
|
|
|
|
### Docker still complains about the certificate when using authentication?
|
|
|
|
When using authentication, some versions of Docker also require you to trust the
|
|
certificate at the OS level.
|
|
|
|
#### Ubuntu
|
|
|
|
```bash
|
|
$ cp certs/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crt
|
|
update-ca-certificates
|
|
```
|
|
|
|
#### Red Hat Enterprise Linux
|
|
|
|
```bash
|
|
cp certs/domain.crt /etc/pki/ca-trust/source/anchors/myregistrydomain.com.crt
|
|
update-ca-trust
|
|
```
|
|
|
|
#### Oracle Linux
|
|
|
|
```bash
|
|
$ update-ca-trust enable
|
|
```
|
|
|
|
Restart Docker for the changes to take effect.
|